Cellebrite’s hacking kit is one of the most popular forensics tools on the market, capable of circumventing passcodes and extracting a wealth of data from seized cellphones. US law enforcement agencies have invested heavily in the tech, but Cellebrite may have also sold its wares to authoritarian regimes with abysmal human rights records, such as Turkey, the United Arab Emirates, and Russia, according to a large cache of data obtained by Motherboard.
The revelations raise questions around Cellebrite’s choice of customers, whether it vets them, and what policies, if any, are in place to stop Cellebrite’s technology from being used against journalists or activists.
“While products like those of Cellebrite can have legitimate use in forensic acquisitions, and while we shouldn’t demonize the technology behind them, there is always a concern that in countries where basic freedoms are regularly quashed and where we see a systematic abuse of technology to suppress dissent, these same solutions might become tools in the hands of oppressors,” Claudio Guarnieri, technologist at Amnesty International, told Motherboard in an online chat.
Cellebrite is an Israeli firm that specializes in mobile phone forensics technology. The company’s flagship product, the Universal Forensic Extraction Device (UFED), can pull SMS messages, call logs, internet browsing histories, and in some cases deleted data from phones in the investigator’s physical possession. According to a Cellebrite spreadsheet, UFEDs can extract data from thousands of different models of mobile phones, including popular Android devices.
A Motherboard investigation found that US state police agencies had collectively spent millions of dollars on Cellebrite products. US federal agencies, such as the FBI and Secret Service, are also Cellebrite customers.
Not much information has been available concerning the company’s customers elsewhere in the world. In an interview with the BBC last year, Cellebrite VP of Business Development and Forensics Yuval Ben-Moshe said “I don’t know” if Cellebrite would sell its products to repressive regimes.
A hacker provided Motherboard with over 900 gigabytes of Cellebrite-related data. That cache includes customer information, legal documents, and a vast amount of technical material, including scripts, databases, and log files apparently from Cellebrite devices. On Thursday, Cellebrite confirmed the data breach in a statementpublished after Motherboard informed the company of the hack.
“I want to know how to extract Blackberry.”
The data also contains customer support tickets, with clients asking for assistance on technical issues. Motherboard verified customer email addresses in the hacked data by attempting to create accounts on the Cellebrite login portal. In many cases, making an account was not possible because the email address was already in use. One customer included in the data confirmed the contents of their support ticket.
These tickets include a 2011 communication from Turkey’s national police force. According to a recent Amnesty International report, Turkish police have subjected prisoners to beatings, torture, and in some cases rape.
Messages dated 2011 from the United Arab Emirates’ Ministry of Interior and a 2012 communication from a Russian Federation prosecutor’s office are also contained within the data. The United Arab Emirates is notorious for torturing prisoners.
“I want to know how to extract Blackberry,” one support message from the Bahraini Ministry of Interior police force reads. That force has been accused of sectarian violence, and torture and ill-treatment of prisoners remains rife in the Ministry, according to a 2015 report from Amnesty International.
None of the named agencies responded to emailed questions on what sort of crimes they may use Cellebrite’s technology to combat.
It’s important to note that these countries likely do have legitimate uses for Cellebrite products and other mobile forensics technologies. In December, the Turkish government said it was seeking assistance in accessing the mobile phone of a politically-motivated assassin.
However, abuses do occur. Last year, The Intercept reported that Cellebrite technology was used in the prosecution of a Bahraini political dissident.
Cellebrite’s End User License Agreement (EULA) makes no mention of respecting human rights. It also does not state that Cellebrite’s tools shouldn’t be used against certain populations, such as journalists.
Cellebrite declined a request for comment, and did not answer an emailed set of questions about the company’s vetting of customers, nor the absence of any human rights clauses from the EULA.
“We ask companies to be conscious about their role in enabling abuses, and to conduct their business with consideration of the human rights records of their clients,” Guarnieri from Amnesty International said.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.